Introduction
If no crime is acceptable, then no security risk should be either. Yet, many companies and institutions continue to rely on outdated tools like the Risk Matrix, borrowed from Health and Safety, to justify exposure to serious threats. In the world of security, even a “low” risk is still a risk, and every overlooked vulnerability creates an opportunity for crime.
We recently conducted an independent security risk assessment in Kimberley, uncovering risks that standard assessments often overlook. Our approach identifies vulnerabilities across property, personnel, and processes, ensuring proactive measures can be recommended before incidents occur.
If you would like to learn more about our assessments or have specific topics you would like us to address, please email your suggestions to andre@alwinco.co.za. We will create and publish articles tailored to your interests on our website.
What represents an acceptable risk to you?
Security risk assessment levels – If you want to draw a distinction between acceptable risk and unacceptable risk, perhaps you need to consider what security means to you. Health & Safety has taught us that there is an “acceptable risk”, and while that may be true in the Health & Safety world, it is most definitely not true in the security world.
When you have acceptable risks, you have acceptable crimes. Which crimes are acceptable? Theft? Rape? Murder? Kidnapping? Armed Robbery? Bribery and Corruption?
If you agree that no crime should be acceptable,
You should agree that there is no security risk that should be acceptable, and no reasonable solution should be unacceptable. This means that you should take all the necessary precautions and make every effort to eliminate ALL security risks, not just some of them, in alignment with your duty, accountability, and responsibilities. We pose 2 questions below.
Question 1
Which 20% of your employees are considered expendable?
While you may feel relieved when the Risk Matrix indicates a low-risk percentage, have you ever pondered the decision-making process regarding which 10% or 20% of your employees are deemed expendable?
When you examine the Risk Matrix, you will notice five color-coded categories ranging from “high to low” risk. The dark green category represents low-risk areas, accounting for 20%, while the red category signifies the highest risk, amounting to 100%, with light green, yellow, and orange in between. In the realm of security, classifying something as low risk still implies the existence of a risk, even if it is only 20%.
A risk remains a risk, regardless of its magnitude.
Whether someone has stolen a car or taken a life, they are still considered a criminal. There is no grey area in between.
Furthermore, it is important to note that there is no “standard formula” for calculating the risk factor. The Risk Matrix, derived from the concept of Health & Safety, was applied to the security sector.
Terms like Probability and Likelihood are two words that cannot and should not be used in the context of security.
Security should not be measured based on likelihood or probability, rather, it should be assessed in terms of opportunity. Many people frequently make this mistake. Even if a risk is deemed low, it remains a risk.
The concept of acceptable risk solely applies to Health & Safety and has no place in the security risk spectrum. Essentially, the Risk Matrix should not be utilized for anything related to security.
While certain security risks may require more immediate attention than others, it is crucial to recognize that any risk, regardless of its level, must be eliminated. Accepting a security risk provides an opportunity for criminal activity.
Having a 20% risk rate means that there is a 20% chance of becoming a victim of crime. Is that a risk you are willing to take?
Question 2:
What exactly is an acceptable level of risk? Is stealing acceptable? Is corruption acceptable? How about stealing public property and municipal assets? What about a hijacking? Do you consider rape to be an acceptable risk, or does it go beyond the acceptable threshold? Who must become a victim of crime before action is taken? Most importantly, who decides what constitutes an acceptable risk, and what criteria are used to make such decisions?
If you asked anybody about acceptable crimes, they would most certainly say that no crime is acceptable. When you go into the paperwork, risk management, plans, proposals, and so on—you’ll come across the Risk Matrix, which indicates that certain percentages of risk are accepted.
Accepting the use of this matrix in any document supplied to you and working on its basis means accepting security risks that create opportunities for crime. As a result, you implicitly accept that some crimes are acceptable.
Acceptable risks will be integrated into your framework if:
- Security risks are not professionally identified.
- There are no risk-specific solutions to mitigate security risks.
- Standard Operating Procedures (SOPs) are not prepared for potential legal proceedings.
- Management procedures and processes are not established and are not verifiable.
Despite years of fighting crime and investing in security equipment, it is troubling to see that our situation has not improved and may have even gotten worse. The statistics on crime support this statement, so it is not speculative.
We are losing the fight against crime and corruption in South Africa.
The most common reason for poor security or security failures is ignorance and a lack of willpower to address them. Article written by Andre Mundell. # Security risk assessment levels
Alwinco conducts security risk assessments throughout South Africa, with a significant presence in Gauteng (including Anlin, Braamfontein, Midrand, Rivonia, and Hatfield), as well as in Bloemfontein, La Lucia, and Houtbaai.